<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE topic
  PUBLIC "-//OASIS//DTD DITA Composite//EN" "ditabase.dtd">
<topic id="topic1">
    <title id="bz20941">CREATE ROLE</title>
    <body>
        <p id="sql_command_desc">Defines a new database role (user or group).</p>
        <section id="section2">
            <title>Synopsis</title>
            <codeblock id="sql_command_synopsis">CREATE ROLE <varname>name</varname> [[WITH] <varname>option</varname> [ ... ]]</codeblock>
            <p>where <varname>option</varname> can be:</p>
            <codeblock>      SUPERUSER | NOSUPERUSER
    | CREATEDB | NOCREATEDB
    | CREATEROLE | NOCREATEROLE
    | CREATEUSER | NOCREATEUSER
    | CREATEEXTTABLE | NOCREATEEXTTABLE 
      [ ( <varname>attribute</varname>='<varname>value</varname>'[, ...] ) ]
           where <varname>attributes</varname> and <varname>value</varname> are:
           type='readable'|'writable'
           protocol='gpfdist'|'http'
    | INHERIT | NOINHERIT
    | LOGIN | NOLOGIN
    | REPLICATION | NOREPLICATION
    | CONNECTION LIMIT <varname>connlimit</varname>
    | [ ENCRYPTED | UNENCRYPTED ] PASSWORD '<varname>password</varname>'
    | VALID UNTIL '<varname>timestamp</varname>' 
    | IN ROLE <varname>rolename</varname> [, ...]
    | ROLE <varname>rolename</varname> [, ...]
    | ADMIN <varname>rolename</varname> [, ...]
    | USER <varname>rolename</varname> [, ...]
    | SYSID <varname>uid</varname> [, ...]
    | RESOURCE QUEUE <varname>queue_name</varname>
    | RESOURCE GROUP <varname>group_name</varname>
    | [ DENY <varname>deny_point</varname> ]
    | [ DENY BETWEEN <varname>deny_point</varname> AND <varname>deny_point</varname>]</codeblock>
        </section>
        <section id="section3">
            <title>Description</title>
            <p><codeph>CREATE ROLE</codeph> adds a new role to a Greenplum Database system. A role
                is an entity that can own database objects and have database privileges. A role can
                be considered a user, a group, or both depending on how it is used. You must have
                    <codeph>CREATEROLE</codeph> privilege or be a database superuser to use this
                command. </p>
            <p>Note that roles are defined at the system-level and are valid for all databases in
                your Greenplum Database system.</p>
        </section>
        <section id="section4">
            <title>Parameters</title>
            <parml>
                <plentry>
                    <pt>
                        <varname>name</varname>
                    </pt>
                    <pd>The name of the new role. </pd>
                </plentry>
                <plentry>
                    <pt>SUPERUSER</pt>
                    <pt>NOSUPERUSER</pt>
                    <pd>If <codeph>SUPERUSER</codeph> is specified, the role being defined will be a
                        superuser, who can override all access restrictions within the database.
                        Superuser status is dangerous and should be used only when really needed.
                        You must yourself be a superuser to create a new superuser.
                            <codeph>NOSUPERUSER</codeph> is the default. </pd>
                </plentry>
                <plentry>
                    <pt>CREATEDB</pt>
                    <pt>NOCREATEDB</pt>
                    <pd>If <codeph>CREATEDB</codeph> is specified, the role being defined will be
                        allowed to create new databases. <codeph>NOCREATEDB</codeph> (the default)
                        will deny a role the ability to create databases. </pd>
                </plentry>
                <plentry>
                    <pt>CREATEROLE</pt>
                    <pt>NOCREATEROLE</pt>
                    <pd>If <codeph>CREATEROLE</codeph> is specified, the role being defined will be
                        allowed to create new roles, alter other roles, and drop other roles.
                            <codeph>NOCREATEROLE</codeph> (the default) will deny a role the ability
                        to create roles or modify roles other than their own. </pd>
                </plentry>
                <plentry>
                    <pt>CREATEUSER</pt>
                    <pt>NOCREATEUSER</pt>
                    <pd>These clauses are obsolete, but still accepted, spellings of
                            <codeph>SUPERUSER</codeph> and <codeph>NOSUPERUSER</codeph>. Note that
                        they are not equivalent to the <codeph>CREATEROLE</codeph> and
                            <codeph>NOCREATEROLE</codeph> clauses.</pd>
                </plentry>
                <plentry>
                    <pt>CREATEEXTTABLE</pt>
                    <pt>NOCREATEEXTTABLE</pt>
                    <pd>If <codeph>CREATEEXTTABLE</codeph> is specified, the role being defined is
                        allowed to create external tables. The default <codeph>type</codeph> is
                            <codeph>readable</codeph> and the default <codeph>protocol</codeph> is
                            <codeph>gpfdist</codeph>, if not specified. Valid types are
                            <codeph>gpfdist</codeph>, <codeph>gpfdists</codeph>,
                            <codeph>http</codeph>, and <codeph>https</codeph>.
                            <codeph>NOCREATEEXTTABLE</codeph> (the default type) denies the role the
                        ability to create external tables. Note that external tables that use the
                            <codeph>file</codeph> or <codeph>execute</codeph> protocols can only be
                        created by superusers. </pd>
                    <pd>Use the <codeph>GRANT...ON PROTOCOL</codeph> command to allow users to
                        create and use external tables with a custom protocol type, including the
                            <codeph>s3</codeph> and <codeph>pxf</codeph> protocols included with
                        Greenplum Database.</pd>
                </plentry>
                <plentry>
                    <pt>INHERIT</pt>
                    <pt>NOINHERIT</pt>
                    <pd>If specified, <codeph>INHERIT</codeph> (the default) allows the role to use
                        whatever database privileges have been granted to all roles it is directly
                        or indirectly a member of. With <codeph>NOINHERIT</codeph>, membership in
                        another role only grants the ability to <codeph>SET ROLE</codeph> to that
                        other role.</pd>
                </plentry>
                <plentry>
                    <pt>LOGIN</pt>
                    <pt>NOLOGIN</pt>
                    <pd>If specified, <codeph>LOGIN</codeph> allows a role to log in to a database.
                        A role having the <codeph>LOGIN</codeph> attribute can be thought of as a
                        user. Roles with <codeph>NOLOGIN</codeph> are useful for managing database
                        privileges, and can be thought of as groups. If not specified,
                            <codeph>NOLOGIN</codeph> is the default, except when <codeph>CREATE
                            ROLE</codeph> is invoked through its alternative spelling <codeph><xref
                                href="CREATE_USER.xml#topic1">CREATE USER</xref></codeph>.</pd>
                </plentry>
                <plentry>
                    <pt>REPLICATION</pt>
                    <pt>NOREPLICATION</pt>
                    <pd>These clauses determine whether a role is allowed to initiate streaming
                        replication or put the system in and out of backup mode. A role having the
                            <codeph>REPLICATION</codeph> attribute is a very highly privileged role,
                        and should only be used on roles actually used for replication. If not
                        specified, <codeph>NOREPLICATION</codeph> is the default .</pd>
                </plentry>
                <plentry>
                    <pt>CONNECTION LIMIT <varname>connlimit</varname></pt>
                    <pd>The number maximum of concurrent connections this role can make. The default
                        of -1 means there is no limitation.</pd>
                </plentry>
            </parml>
            <parml>
                <plentry>
                    <pt>PASSWORD <varname>password</varname></pt>
                    <pd>Sets the user password for roles with the <codeph>LOGIN</codeph> attribute.
                        If you do not plan to use password authentication you can omit this option.
                        If no password is specified, the password will be set to null and password
                        authentication will always fail for that user. A null password can
                        optionally be written explicitly as <codeph>PASSWORD NULL</codeph>. </pd>
                </plentry>
                <plentry>
                    <pt>ENCRYPTED</pt>
                    <pt>UNENCRYPTED</pt>
                    <pd>These key words control whether the password is stored encrypted in the
                        system catalogs. (If neither is specified, the default behavior is
                        determined by the configuration parameter
                            <varname>password_encryption</varname>.) If the presented password
                        string is already in MD5-encrypted format, then it is stored encrypted
                        as-is, regardless of whether <codeph>ENCRYPTED</codeph> or
                            <codeph>UNENCRYPTED</codeph> is specified (since the system cannot
                        decrypt the specified encrypted password string). This allows reloading of
                        encrypted passwords during dump/restore.</pd>
                </plentry>
                <plentry>
                    <pt>VALID UNTIL <varname>'timestamp'</varname></pt>
                    <pd>The VALID UNTIL clause sets a date and time after which the role's password
                        is no longer valid. If this clause is omitted the password will never
                        expire. </pd>
                </plentry>
                <plentry>
                    <pt>IN ROLE <varname>rolename</varname></pt>
                    <pd>Adds the new role as a member of the named roles. Note that there is no
                        option to add the new role as an administrator; use a separate
                            <codeph>GRANT</codeph> command to do that.</pd>
                </plentry>
                <plentry>
                    <pt>ROLE <varname>rolename</varname></pt>
                    <pd>Adds the named roles as members of this role, making this new role a
                        group.</pd>
                </plentry>
                <plentry>
                    <pt>ADMIN <varname>rolename</varname></pt>
                    <pd>The <codeph>ADMIN</codeph> clause is like <codeph>ROLE</codeph>, but the
                        named roles are added to the new role <codeph>WITH ADMIN OPTION</codeph>,
                        giving them the right to grant membership in this role to others.</pd>
                </plentry>
                <plentry>
                    <pt>RESOURCE GROUP <varname>group_name</varname></pt>
                    <pd> The name of the resource group to assign to the new role. The role will
                        be subject to the concurrent transaction, memory, and CPU limits configured
                        for the resource group. You can assign a single resource group to one or
                        more roles.</pd>
                    <pd>If you do not specify a resource group for a new role, the role is
                        automatically assigned the default resource group for the role's capability,
                            <codeph>admin_group</codeph> for <codeph>SUPERUSER</codeph> roles,
                            <codeph>default_group</codeph> for non-admin roles.</pd>
                    <pd>You can assign the <codeph>admin_group</codeph> resource group to any role
                        having the <codeph>SUPERUSER</codeph> attribute.</pd>
                    <pd>You can assign the <codeph>default_group</codeph> resource group to any
                        role.</pd>
                    <pd>You cannot assign a resource group that you create for an external component to a role.</pd></plentry>
                <plentry>
                    <pt>RESOURCE QUEUE <varname>queue_name</varname></pt>
                    <pd>The name of the resource queue to which the new user-level role is to be
                        assigned. Only roles with <codeph>LOGIN</codeph> privilege can be assigned
                        to a resource queue. The special keyword <codeph>NONE</codeph> means that
                        the role is assigned to the default resource queue. A role can only belong
                        to one resource queue. </pd>
                    <pd>Roles with the <codeph>SUPERUSER</codeph> attribute are exempt from resource
                        queue limits. For a superuser role, queries always run immediately
                        regardless of limits imposed by an assigned resource queue.</pd>
                </plentry>
                <plentry>
                    <pt>DENY <varname>deny_point</varname></pt>
                    <pt>DENY BETWEEN <varname>deny_point</varname> AND
                        <varname>deny_point</varname></pt>
                    <pd>The <codeph>DENY</codeph> and <codeph>DENY BETWEEN</codeph> keywords set
                        time-based constraints that are enforced at login. <codeph>DENY</codeph>
                        sets a day or a day and time to deny access. <codeph>DENY BETWEEN</codeph>
                        sets an interval during which access is denied. Both use the parameter
                            <varname>deny_point</varname> that has the following format:</pd>
                    <pd>
                        <codeblock>DAY day [ TIME 'time' ]</codeblock>
                    </pd>
                    <pd>The two parts of the <codeph>deny_point</codeph> parameter use the following
                        formats:</pd>
                    <pd>
                        <p>For <codeph>day</codeph>:</p>
                        <codeblock>{'Sunday' | 'Monday' | 'Tuesday' |'Wednesday' | 'Thursday' | 'Friday' | 
'Saturday' | 0-6 }</codeblock>
                        <p>For <codeph>time</codeph>:</p>
                        <codeblock>{ 00-23 : 00-59 | 01-12 : 00-59 { AM | PM }}</codeblock>
                    </pd>
                    <pd>The <codeph>DENY BETWEEN</codeph> clause uses two
                            <varname>deny_point</varname>
                        parameters:<codeblock>DENY BETWEEN <varname>deny_point</varname> AND <varname>deny_point</varname></codeblock></pd>
                    <pd>For more information and examples about time-based constraints, see
                        "Managing Roles and Privileges" in the <i>Greenplum Database Administrator
                            Guide</i>.</pd>
                </plentry>
            </parml>
        </section>
        <section id="section5">
            <title>Notes</title>
            <p>The preferred way to add and remove role members (manage groups) is to use
                        <codeph><xref href="./GRANT.xml#topic1" type="topic" format="dita"
                    /></codeph> and <codeph><xref href="./REVOKE.xml#topic1" type="topic"
                        format="dita"/></codeph>. </p>
            <p>The <codeph>VALID UNTIL</codeph> clause defines an expiration time for a password
                only, not for the role. The expiration time is not enforced when logging in using a
                non-password-based authentication method. </p>
            <p>The <codeph>INHERIT</codeph> attribute governs inheritance of grantable privileges
                (access privileges for database objects and role memberships). It does not apply to
                the special role attributes set by <codeph>CREATE ROLE</codeph> and <codeph>ALTER
                    ROLE</codeph>. For example, being a member of a role with
                    <codeph>CREATEDB</codeph> privilege does not immediately grant the ability to
                create databases, even if <codeph>INHERIT</codeph> is set. These
                privileges/attributes are never inherited: <codeph>SUPERUSER</codeph>,
                    <codeph>CREATEDB</codeph>, <codeph>CREATEROLE</codeph>,
                    <codeph>CREATEEXTTABLE</codeph>, <codeph>LOGIN</codeph>, <codeph>RESOURCE
                    GROUP</codeph>, and <codeph>RESOURCE QUEUE</codeph>. The attributes must be set
                on each user-level role.</p>
            <p>The <codeph>INHERIT</codeph> attribute is the default for reasons of backwards
                compatibility. In prior releases of Greenplum Database, users always had access to
                all privileges of groups they were members of. However, <codeph>NOINHERIT</codeph>
                provides a closer match to the semantics specified in the SQL standard.</p>
            <p>Be careful with the <codeph>CREATEROLE</codeph> privilege. There is no concept of
                inheritance for the privileges of a <codeph>CREATEROLE</codeph>-role. That means
                that even if a role does not have a certain privilege but is allowed to create other
                roles, it can easily create another role with different privileges than its own
                (except for creating roles with superuser privileges). For example, if a role has
                the <codeph>CREATEROLE</codeph> privilege but not the <codeph>CREATEDB</codeph>
                privilege, it can create a new role with the <codeph>CREATEDB</codeph> privilege.
                Therefore, regard roles that have the <codeph>CREATEROLE</codeph> privilege as
                almost-superuser-roles. </p>
            <p>The <codeph>CONNECTION LIMIT</codeph> option is never enforced for superusers. </p>
            <p>Caution must be exercised when specifying an unencrypted password with this command.
                The password will be transmitted to the server in clear-text, and it might also be
                logged in the client's command history or the server log. The client program
                    <codeph>createuser</codeph>, however, transmits the password encrypted. Also,
                psql contains a command <codeph>\password</codeph> that can be used to safely change
                the password later.</p>
        </section>
        <section id="section6">
            <title>Examples</title>
            <p>Create a role that can log in, but don't give it a password:</p>
            <codeblock>CREATE ROLE jonathan LOGIN;</codeblock>
            <p>Create a role that belongs to a resource queue:</p>
            <codeblock>CREATE ROLE jonathan LOGIN RESOURCE QUEUE poweruser;</codeblock>
            <p>Create a role with a password that is valid until the end of 2016 (<codeph>CREATE
                    USER</codeph> is the same as <codeph>CREATE ROLE</codeph> except that it implies
                    <codeph>LOGIN</codeph>):</p>
            <codeblock>CREATE USER joelle WITH PASSWORD 'jw8s0F4' VALID UNTIL '2017-01-01';</codeblock>
            <p>Create a role that can create databases and manage other roles:</p>
            <codeblock>CREATE ROLE admin WITH CREATEDB CREATEROLE;</codeblock>
            <p>Create a role that does not allow login access on Sundays:</p>
            <codeblock>CREATE ROLE user3 DENY DAY 'Sunday';</codeblock>
            <p>Create a role that can create readable and writable external tables of type
                'gpfdist':</p>
            <codeblock>CREATE ROLE jan WITH CREATEEXTTABLE(type='readable', protocol='gpfdist')
   CREATEEXTTABLE(type='writable', protocol='gpfdist'); </codeblock>
            <p>Create a role, assigning a resource group:</p>
            <codeblock>CREATE ROLE bill RESOURCE GROUP rg_light;</codeblock>
        </section>
        <section id="section7">
            <title>Compatibility</title>
            <p>The SQL standard defines the concepts of users and roles, but it regards them as
                distinct concepts and leaves all commands defining users to be specified by the
                database implementation. In Greenplum Database users and roles are unified into a
                single type of object. Roles therefore have many more optional attributes than they
                do in the standard. </p>
            <p><codeph>CREATE ROLE</codeph> is in the SQL standard, but the standard only requires
                the syntax:</p>
            <codeblock>CREATE ROLE <varname>name</varname> [WITH ADMIN <varname>rolename</varname>]</codeblock>
            <p>Allowing multiple initial administrators, and all the other options of <codeph>CREATE
                    ROLE</codeph>, are Greenplum Database extensions.</p>
            <p>The behavior specified by the SQL standard is most closely approximated by giving
                users the <codeph>NOINHERIT</codeph> attribute, while roles are given the
                    <codeph>INHERIT</codeph> attribute.</p>
        </section>
        <section id="section8">
            <title>See Also</title>
            <p><codeph><xref href="./SET_ROLE.xml#topic1" type="topic" format="dita"/></codeph>,
                        <codeph><xref href="ALTER_ROLE.xml#topic1" type="topic" format="dita"
                    /></codeph>, <codeph><xref href="./DROP_ROLE.xml#topic1" type="topic"
                        format="dita"/></codeph>, <codeph><xref href="./GRANT.xml#topic1"
                        type="topic" format="dita"/></codeph>, <codeph><xref
                        href="./REVOKE.xml#topic1" type="topic" format="dita"/></codeph>,
                        <codeph><xref href="CREATE_RESOURCE_QUEUE.xml#topic1" type="topic"
                        format="dita"/></codeph>
                <codeph><xref href="CREATE_RESOURCE_GROUP.xml#topic1" type="topic" format="dita"
                    /></codeph></p>
        </section>
    </body>
</topic>
